* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Hacking Part 1
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Parallel port wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Airborne Networking wikipedia , lookup
Network tap wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
TCP congestion control wikipedia , lookup
Server Message Block wikipedia , lookup
Distributed firewall wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Internet protocol suite wikipedia , lookup
Hacking Part 1 1 Intro to Network Security Hacking Part 1 Text: Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al. Chapter 15 Objectives: The student should be able to: Define DNS, zone transfer, traceroute, ping, ping sweep, port scanning, finger printing, banner grabbing, SNMP. List the goals, techniques, and 2 countermeasures for Footprinting. List the goals, techniques, and 2 countermeasures for Scanning. List the goals of enumeration. List 6 vendor-independent steps that can protect systems against hackers. Class Time: Lecture: Footprinting Scanning Enumeration Lab 1: Footprinting Total: ½ hour ½ hour 1 hour 1 hour 3 hours Hacking Part 1 2 Hacking Techniques & Countermeasures To break into a location (store, bank) you would: Case the joint (security guards, visibility, cameras, …) To hack into a system the steps include: Footprint: Get a big picture of what the network is Scan: Identify reachable hosts, services, OS/service versions Enumerate: Get specific details on the network OS/services Exploit: Take advantage of hacking reconnaissance Step 1: Footprinting Footprinting: Gather information about target. Stages include: Determine scope of activity: What is out there & what does hacker hope to accomplish? Search company web pages: locations, subsidiaries, contact names, phone numbers, email, privacy or security policies, links to organization’s other web servers. Monitor HTML comment tags not publicly shown Perform open-source searches for info on target: news, press releases www.sec.gov EDGAR database lists publicly traded companies: recently-listed or recently-acquired often vulnerable Network Enumeration: Discover networks attached to the domains Obtain information from whois databases Identify domain names: ms.com and Microsoft.com Network Reconnaissance: Learn network topology via DNS interrogation and network commands (e.g., traceroute) Network Enumeration Stage Whois provides information on: Registrar: Sponsoring company Organizational/Point of contact: Contact information Social Engineering: break into company via human interface – via phone or email, posing as a trusted support person War dialers: search for dial up modems Network/Domain: DNS server names, CIDR range Whois databases include: www.networksolutions.com (Network Solutions had a monopoly as main registrar for domain names until 1999). www.arin.net : American Registry for Internet Numbers www.samspade.org www.nic.gov/whois.html www.allwhois.com Hacking Part 1 3 Whois Example: [bash] whois “Tellurian Net*”@whois.arin.net Guard Security by: Posting fictitious names in whois database Keep contact information, contact registration in registry up-to-date Ensure secure access to registry (AOL was defrauded in 1998) Network Reconnaissance Network Reconnaissance: Learn network topology DNS Interrogation: Learn location of web, email, firewall servers DNS: Domain Name Server maps IP addresses to hostnames and vice versa Zone transfers dump the contents of the DNS database to a secondary site (intention: backup site) DNS Lookup Command: nslookup … set type=any ls –d Tellurian.net. >> /tmp/store ce 1D IN CNAME Aesop au 1D IN A 192.168.230.4 1D IN TXT “Location: Library” 1D IN RP jcoy.erebus jcoy.who 1D IN MX 0 tellurianadmin-smtp Above we are asking to use the Tellurian.net DNS server to list all records for the domain HINFO: Identifies platform/OS MX: Mail Exchange (Email server) A: Internet Address To Guard Security: Prevent or restrict zone transfers to authorized machines/users Disable inbound connections to TCP port 53: TCP zone transfer, UDP name lookups However, UDP name lookups sent as TCP requests when > 512 bytes Exclude internal network information in external name servers Eliminate HINFO records from name servers Log inbound connections to port 53 to track potential attacks Traceroute: Provides list of routers between source and destination To run: [bash]$ traceroute cs.uwp.edu [DOS] tracert Hacking Part 1 Traceroute can be run from multiple locations to learn multiple entry points into network How traceroute operates: Traceroute uses ICMP_TIME_EXCEEDED messages Windows: Uses ICMP echo request packet UNIX: uses UDP or ICMP with –I option To Guard Security: Block ICMP and UDP at network edge (firewall or router) Note: Blocking only ICMP or UDP may allow access, since both may be used Use IDS systems to detect traceroute requests www.snort.org: Free IDS program detects these RotoRouter: www.ussrback.com/UNIX/loggers/rr.c.gz: generates fake responses to traceroutes. Step 2: Scanning Scanning: Finding entries (doors, windows / IP addresses, ports) into the network Host Scanning: Which IP addresses are valid? Network Scanning: How is the network routing system organized? Port Scanning: Which services are running on which ports? Fingerprinting: Which software versions are running on different sockets? Active fingerprinting: Send specific messages & observe replies Passive fingerprinting: Observe patterns in IP packets Stealth scanning: Slow scanning stays under intrusion detection radar screen Locating Valid IP Addresses Ping: Source: Are you there? Dest: Yes I am here Send ICMP ECHO; Reply ICMP ECHO REPLY Ping Sweep: Search all IP addresses in range to determine active IP addresses When ICMP traffic is blocked: Proceed to port scanning to determine active addresses ICMP Queries: Gather timestamps and address masks ICMP type 13: Timestamp – how synchronized is the network? ICMP type 17: netmask or address mask: Determine IP addresses, routers 4 Hacking Part 1 5 To Guard Security: Detect ping sweeps and incoming ICMP traffic for port scans via IDS Identify attacker and possible time of attack Filter all ICMP traffic Filter ICMP TIMESTAMP and ADDRESS MASK packet requests Minimal: Allow ECHO_REPLY, HOST_UNREACHABLE, TIME_EXCEEDED into demilitarized zone (DMZ) Once in: can use loki tool to tunnel data within an ICMP ECHO packet Locating Services on Hosts Port Scanning: Which ports are in a listening state? Scan types: TCP connect scan: Performs 3-way handshake TCP SYN: SYN SYN/ACK TCP FIN: FINRST (UNIX) TCP XmasTree scan: FIN/URG/PUSHRST TCP Null: no flagsRST TCP ACK: ACK Is firewall stateful? TCP Windows: Identify system via window size reporting TCP RCP: Identify RCP ports, program names and version numbers UDP Scan: If inactive ICMP port unreachable Port scanners include: Nmap or Network Mapper: TCP/UDP, decoy or bogus scans supported to complicate IDS detection Windows scanners: NetScan, SuperScan, Strobe: efficient, banner-grabbing, TCP scanning Udp_scan (SATAN/SAINT): Fast Netcat or nc: TCP & UDP port scanning, verbose options NetScan: axfr, whois, ping sweeps, NetBIOS name table scans, SNMP walks, etc. Results: Identify system as well as active ports Microsoft NT: supports port 139 & 135 Microsoft 95/98: port 139 UNIX: 111 Portmapper To Guard Security: Detect port scans using IDS or snort: Snort: Free (www.snort.org) Disable all unnecessary services UNIX: comment out unnecessary services in /etc/inetd.conf WINDOWS: Disable services via Control Panel/Services Hacking Part 1 Scan to find unnecessary services Can use www.grc.com to scan your own machine or network Step 3: Enumerate: Get Specific Details on OS/Services Fingerprinting: Identifying the system software Active Stack Fingerprinting: Send messages to determine versions of system software Stack Fingerprinting: Identify host OS. Banner Grabbing: Identify applications (including version if possible) Identify host OS version: FIN probe, Bogus Flag probe, Initial Sequence Number sampling, Don’t fragment bit monitoring, TCP initial window size, ACK value, ICMP message reactions, etc. Passive Stack Fingerprinting: Monitors network traffic to determine OS Tool: Siphon TTL: What is initial Time To Live value? Window Size: What is the default window size? DF: Is the Don’t Fragment flag set? Automated Vulnerability Tools: Nessus/NeWT: Identifies open ports, vendor, type, versions of software packages. Nikto: Identifies web vulnerabilities Cheops: Graphical utility integrates ping, traceroute, port scanning capabilities and OS detection into automatic package that provides network diagram (routers, hosts…) NMAP: T option slows down scan to where it is not recognized by IDS. SARA/SAINT: Enumerate vulnerabilities on UNIX MBSA/GFI LANguard: Enumerate vulnerabilities for Microsoft products Manual Tools: Telnet, nc, netcat Banner Grabbing: Start up a telnet application to ports in turn: C:\>telnet <IP_addr> <port_nr> C:\>telnet 10.10.0.1 80 HTTP/1.0 400 Bad Request Server: Netscape-Commerce/1.12 Your browser sent a non-HTTP compliant message. OR use netcat: C:\> nc –v www.corleone.com 80 <enter> OR C:\> nc –n 10.10.0.1 80 6 Hacking Part 1 7 <enter> Countermeasures: Shut down unnecessary services Changing the banner is difficult but possible Eliminate any entry points: e.g., default passwords Auditing Checks: Be careful of false positives and false negatives! Slow responses can result in wrong conclusion Banners may not reflect all patches Vulnerabilities may be eligible only if combined with a particular version of OS Vulnerability tests can have bugs A vulnerability may exist – but the context may not exist for the application Specific network h/w may impact test (e.g., load balancing, firewall proxies) Therefore: Use two tools to test! Determine if vulnerability exist in context of OS, applications, etc. Treat information as confidential Step 4: Exploit Can include: Password Guessing Exploit known vulnerabilities of software Session Hijacking: Take over existing session After Break-In Create backdoors for reentry Weaken security Vendor-Independent Steps to Minimize Security Risks Ensure machines run minimal services – particularly servers Run the most up-to-date versions with patches installed Restrict access to services (,data, configuration files) based on need Minimize service banners and display warnings against trespassing Collect and monitor logs via remote server (login attempts, changes in permissions, accounts, or log/audit settings, file/printer accesses, etc.) Ensure remote administration uses strong authentication and encryption controls Use file integrity checking tools Partition services and hardware in network to maximize security! Hacking Part 1 A Look at Specific Applications (More can be found in Hacking Exposed: Network Security Secrets & Solutions) TFTP TCP/UDP 69 Simple file transfer protocol that sends in cleartext Lacks any authentication mechanism [root$] tftp 192.168.202.34 Tftp> connect 192.168.202.34 Tftp> get /etc/passwd /tmp/crackpasswd Tftp> quit Countermeasures: Block TCP/UDP port 69 at firewall Limit access to the /tftpboot directory Avoid tftp Simple Network Management Protocol UDP 161 Collects information from the network – and may give it away too. “Security Not My Problem”: SNMP read-only mode password is “public” C:\> snmputil walk <ip_addr> public <objectID> C:\> snmputil walk 10.10.0.2 public .1.3.6.1.4.1.77.1.2.25 Can provide usernames, OS version, share names/paths, running services, etc. Countermeasures: Block TCP/UDP 161 at network perimeter Use an excellent password Disable SNMP if not required Upgrade to latest (more secure) versions of SNMP with authentication & encryption. Use regedt tool to set security option to permit only approved user access Trojan Ports Close off all ports used by Trojan horses: www.doshelp.com/trojanports.htm Port 80 (web) can also be used by trojans and other applications when their normal port is closed ICMP The following ICMP messages should be considered for closing: Ping, Destination Unreachable, (Subnet) Address Mask Request, Echo, Host Unreachable, Port Unreachable, Redirect, Time Exceeded, Admin Prohibited (ACL denied) A Look at Specific Applications: UNIX UNIX Remote Procedure Call, TCP/UDP 111, 32771 The portmapper provides info on RPC programs, versions, protocol, port 8 Hacking Part 1 [root$] rpcinfo –p <ip_addr> C:\> rpcdump <ip_addr> [root$] nmap –sS –sR <ip_addr> Countermeasures: Use authentication (and possibly encryption) with RPC Block ports 111, 32771 and other RPC ports to outside UNIX: port 111 Sun: port 32771 Network File System, TCP/UDP 2049 List directories being shared [root$] showmount –e <ip_addr> export list for <ip_addr> /pub (everyone) /usr user Countermeasures: Ensure exported file systems have proper permissions (set read/write permissions per host) Block NFS at network perimeter: TCP/UDP 2049 9 Hacking Part 1 10 Introduction to Microsoft Windows Before Windows 2000: Firewall/Router Mbrowser H1 WINShost H2 H3 H4 Primary DC Has 3 Servers: Mbrowser (Master Browser): Lists hosts part of Network Neighborhood WINShost: Translates NetBiOS host names to IP addresses Primary DC: Primary Domain Controller for Authentication After Windows 2000: Firewall/Router MS Server H1 H6 H2 H3 H4 H5 Hacking Part 1 11 Has 1 Server which contains: Domain Controller with Active Directory (User Accts) DNS Server: Domain names and structures: Translates to IP addresses Kerberos Server: Top-notch authentication Integration allows Kerberos authentication control over network accesses Questions: How can we try to make this network and its data as safe as possible? Disable ports at entry point Monitor ports via IDS internally to find worms, inside attackers Passwords can be cracked with monitoring Hierarchical networks In MS Windows, a hierarchy can include a Forest, Domain, single machine, etc. Using Domains, authentication and control can occur locally (at machine) or remotely (at domain server). E.g., Administrator or user at domain level can become administrator or user at local level automatically When authentication is applied at the local and remote levels, and for different groups in different ways, unexpected permissions may arise. The gpresult.exe command (XP/2003) provides result permissions. Local Control: Minimize applications available on a computer Component: An application/utility that is installed/removed using the Control Panel Add/Remove program E.g., Internet Information Service (IIS) = Web Service Services are part of the OS and can be enabled or disabled: e.g., telnet Description of each service: www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodsp ects/win2ksv Remote Control: Objects accessible via Network Neighborhood are called Shares Examples: Printers, files, directories. E.g.: C: becomes C$ Shares have permissions allocated to them: Everyone = Read (XP & 2003) Hacking Part 1 12 SMB: Server Message Block Application Supports File Sharing, Print Sharing, and Group Policy transmission services associated with LAN Manager, Microsoft Networking Client/Server protocol controlling printers, named pipes, mail slots, and APIs, including Microsoft Explorer. Has two levels of security Share – E.g., Shared printer, shared disk. Each share has a password User – Each user logs onto server and each file has permissions associated with it. Usernames/Passwords retained in Domain Controller for a domain Windows NT: Security Accounts Manager (SAM) Login & Service name sent in cleartext. Encrypted password can be cracked Windows 2000: Active Directory & Key Distribution Center (Kerberos) Secure encryption and authentication SMB can require Digital Signatures (optional): HKEY_LOCAL_MACHINE, Enable or Require Security Signature Shares have a tree structure. SMB Protocol Stack: SMB NetBIOS TCP/IP IPX/SPX NetBEUI Data Link Physical Name Services Name Service Before Windows 2000: Name Service: Maps drive letters E:, F:, printer ports LPT1: to SHARE names or Universal Naming Convention (UNC) names. Redirector: Translates requests from Network services to SMB requests for name service translation. SMB can choose: NBT: NetBIOS over TCP/IP NBT used by Workstation Service, Server service, Browser service, Messenger service, Net Logon service. NBT is used to communicate with earlier OS: Windows NT, 95, 98 NBT is needed for mixed-mode networks to support earlier Windows computers. Uses Port 139 Hacking Part 1 13 Name Service after Windows 2000: Direct Hosting: DNS is used instead of NetBIOS Can be used with Windows 2000 & later XP in ‘Native Mode’ By default in Windows 2000, both NetBIOS and direct hosting are enabled, but one can be disabled. Uses Port 445 To Disable NetBIOS support StartSettingsNetworkDial Up Connection Right click Local Area ConnectionProperties Select IP (TCP/IP) Properties Advanced WINS tab Select Disable NBT All computers must be Windows 2000 or later Protocol Layer Architecture NetBIOS Interface (Pre-2000): NETAPI32.DLL (user mode) NetBIOS Emulator (kernel mode) mode) TCP/IP (NetBT) or NBF NDIS NIC Driver Windows Socket Interface (Post-2000): WSOCK32.DLL (user mode) Windows Socket Emulator (kernel TCP/IP NDIS NIC Driver NDIS: Network Driver Interface Specification: Standard defining the interface between MAC & Higher level protocols. NetBT or NBT: NetBIOS over TCP/IP NBF: NetBIOS Frame Protocol NetBEUI (Enhanced User Interface) is precursor protocol of NBF Replaces TCP/IP or sits above TCP/IP Not routable without TCP/IP Connection-oriented and connectionless Hacking Part 1 14 MS Windows Internal Ports Before Windows 2000 NetBIOS Name Server: UDP 137 (NBT name service) NetBIOS Datagram Server: UDP 138: Can send a datagram with a short message (text) NetBIOS Session Server: TCP 139 (NBT name service, SMB) After Windows 2000: Domain Name Server (DNS): UDP 53 Lightweight Directory Access Protocol (LDAP): Selecting My Network Places to search to in Active Directory Server TCP/UDP 389; TCP port 3268 TCP 3269: Global Catalog TCP 636: LDAP SSL SMB Direct Hosting: Selecting a particular service within My Network Places: TCP port 445 Kerberos: Encrypted Authentication: TCP/UDP 88. TCP/UDP 464 TCP 544: KShell Other Local Services: Terminal Server: TCP 3389 DHCP: DHCP Manager: TCP 135 DHCP Lease: UDP 67-68 A Look at Specific Applications: Microsoft NetBIOS Name Service Enumeration UDP 137 NetBIOS Name Service is the precursor to DNS (before Windows 2000) Lists all domains on the network: C:\> net view /domain Lists all computers within a domain: C:\> net view /domain:computer1 Lists the system name, the domain, logged-on users and running I-net services C:\> nbtstat –A <ip_addr> C:\> nbtscan <ip_addr>/<CIDR extension> Countermeasures: Block UDP 137 at firewall and routers. (This does disable NetBIOS name resolution across routers.) To prevent user data showing up, disable Alerter & Messenger services on individual hosts NetBIOS Session Enumeration, TCP 139, 445 Hacking Part 1 15 Used for Windows File & Print Sharing system’s Server Message Block (SMB) protocol Null session may get access to network information, users, groups, Registry keys, etc. C:\> net use \\<ip_addr>\IPC$ “” /u: “” Many tools exist – one tool is the user2sid and sid2user tools, which offer account names. C:\> User2sid \\<ip_addr> “domain users” C:\> Sid2user \\<ip_addr> <sid> <rid> Another tool shows password policies, user names, etc. C:\> enum –U –d –P –L –c <ip_addr> Countermeasure: Block TCP 139 at network perimeters. Disable SMB services on Network & Dial-up Connections/Advanced/Advanced Settings/unbind File & Print Sharing OR Disable enumeration via regedt32 tool at HKLM\SYSTEM\CurrentControlSet\Control\LSA, by changing Restrict Anonymous value to 2 (if not available: 1) Additional security measures are listed in Hacking Exposed to prevent Registry enumeration, etc. To disable Port 445 select (Windows 2000 & later): Network & Dialup Connections/Advanced (Bar)/Advanced Settings Deselect File & Printer Sharing for MSN Networks To disable Port 139: (Windows 2000 & later) Network & Dialup Connections/Properties of Internet/Advanced button/WINS tab/Disable NetBIOS over TCP/IP Active Directory TCP/UDP 389, 3268 Lightweight Directory Access Protocol (LDAP) can browse the Active Directory Can provide list of all users and groups via ldp tool Countermeasures: Block TCP/UDP 389, 3268 at firewall, external routers. Run Active Directory in native mode, with a network of Windows 2000 and later nodes Auditing Microsoft Help Web pages for MS Windows for security tools, checklists, and guides: www.microsoft.com/technet/security/chklist/default.mspx US National Security Agency: www.nsa.gov/snac/index.cfm US National Institute of Standards and Technology (NIST) www.csrc.nist.gov